Login

Fedora 17 : roundcubemail-0.8.5-1.fc17 (2013-2177)

Medium Nessus Plugin ID 64676

Synopsis

The remote Fedora host is missing a security update.

Description

A cross-site scripting (XSS) flaws were round in the way Round Cube Webmail, a browser-based multilingual IMAP client, performed sanitization of 'data' and 'vbscript' URLs. A remote attacker could provide a specially crafted URL that, when opened would lead to arbitrary JavaScript, VisualBasic script or HTML code execution in the context of Round Cube Webmail's user session.Upstream ticket: [1] http://trac.roundcube.net/ticket/1488850Further details: [2] http://trac.roundcube.net/attachment/ticket/1488850/RoundCube2XSS.pdfUpstream patch: [3] https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a 1d3ba0098b54883eb0baNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.